[SOLVED] gpg Keeps asking "need the secret key to do this"

gentisle · 03-06-2024, 11:02 PM

I'm trying to update an expired key for email. I'm using MacOS Sonoma 14.3.1 on an Intel Macbook. gpg version is: gpg (GnuPG) 2.3.8
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

I enter gpg --edit-key XXXXX..., and I receive the gpg prompt.
Then I enter expire, and it states:

Code:

need the secret key to do this

.

I had previously had Catalina, then upgraded to Monterey, then wiped the HDD, and reinstalled Sonoma. Prior to that, I copied my user dir to an external HDD, and subsequently copied it back to my new installation of the OS.

It's been a few years since I iniatially installed GPG, and set all this up, so I'm not remembering my password. Did I fail to back up the correct files/directories? The key still works in my email (for receiving, I don't ever send to the organization that sends me the encrypted emails). So if I revoke it, I'll never see those old emails again. I was able to change the expiry date for my main key. But what is the secret key it's asking for? Is it some file not in my .gnupg directory? The man command states "No entry for gpg". Typing ManPath = /opt/local/share/man
/usr/local/share/man
/opt/local/man
/usr/share/man
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/share/man
/Library/Developer/CommandLineTools/usr/share/man
[on one line separated by colons, of course]

However if I

Code:

echo $MANPATH

,
I get /opt/local/share/man:/usr/local/share/man::. Not sure how those two differing manpaths can be in the same OS/shell. BTW, shell is the standard zsh.

Code:

which gpg

= /usr/local/bin/gpg
Anyway, when I issue the expire command at the gpg command line, it gives me that message, and I have tried putting various passwords after expire with and without "--key" after expire.

So I Googled man page gpg, and that doesn't give me anything that makes sense. Do I need to gpg --keyring file in my.gnupg dir to get the program to recognize something? the GUI gpgtools seems to read everything and all the other keys work, and as far as I can remember, all keys are there. I tried clicking on that to change the expiration date, but no luck. I can change it for my main ID, but not this expired one. Here's the output from gpg -list-sigs:
pub rsa4096 2012-10-16 [SC] [expired: 2023-10-18]
3E...3DA
uid [ expired] Some Org <noreply@someorg.com>
sig 3 A3...DA 2021-10-08 Some Org <noreply@someorg.com>
uid [ expired] Some Org <nonsense@someorg.com>
sig 3 A3...DA 2017-10-14 Some Org <noreply@someorg.com>
sig 3 A3...DA 2021-10-08 Some Org <noreply@someorg.com>

Thanks,
gentisle

business_kid · 03-07-2024, 07:14 AM

I'm vague on this but there's utilities to generate a public/private key pair. You're apparently missing the private one. I know this because some distros (e.g. slarm64) generate keys on the first boot and then reboot. Try

Code:

# updatedb
#locate keygen

and take your pick. FYI, that will also change the public key, so you'll have to circulate the new one.

gentisle · 03-07-2024, 07:58 AM

I'm not sure where to enter that:

Code:

# updatedb
#locate keygen

The updatedb command was non-existant; the locat keygen told me:

Code:

WARNING: The locate database (/var/db/locate.database) does not exist.
To create the database, run the following command:

  sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.locate.plist

Please be aware that the database can take some time to generate; once
the database has been created, this message will no longer appear.

Is that the one you're talking about?

I just noticed inside the GUI that the key was created in 2012, and I didn't have this computer back then, so would that be their public key, and therefore there is nothing I need to do?
Thanks

business_kid · 03-07-2024, 11:23 AM

1. I gave a vague hint with the '#' prompt. Enter it in a root terminal, or use 'sudo updatedb' in a user terminal.

I have never seen output like you describe. It apparently wants you to store your file database online? I don't imagine you want to do that. But Monterey is a MacOS version, isn't it? So I suppose Catalina is too. I thought you were in Mint or BSD?

Neither do I know why you saw that message. BTW I'm on Slackware, which doesn't use systemd.

There are various programs for creating a file database in linux. locate was the first. mlocate & slocate are others, but they all accept the locate syntax. Your linux distribution probably has one. All bets are off with MacOS, but you can probably compile the source code? From the little I know about MacOS, it has many BSD utilities in there.

You could run around directories in the $PATH and type 'ls *keygen*' if you need to avoid the search, but that's surely a pain.

gentisle · 03-08-2024, 01:45 PM

Sorry business_kid,

I forgot '#' was the prompt because I hated it so much and changed my prompt to something that looks nicer and is more informative. (Not to mention my declining mentality).
There is no updatedb command in MacOS. I checked in the Mac ports and brew, but nothing. Must be Linux and other BSD only (and Solaris?). Yes, Monterey and Catalina are older MacOS versions. Yes, I do use Mint and BSD, but I also have a Macbook. I like to check out as many different OS' as I have time for. I once looked at Slackware, but it's out of my league, as is Linux From Scratch, and any other OS that has to be "assembled" from basic parts. At this point, I doubt I'll ever be able to comprehend enough to do something like that. That's a pity, since I enjoy checking out new OS' so much. Compiling source is too complicated for me. I've tried a few times on some code I downloaded, but there were so many errors, I gave up. I could never comprehend networking and coding. Two things I really wanted to learn so I could make more money.

Unless someone has something to add that, I'll close this one in a few days. Thanks again for your help.

business_kid · 03-08-2024, 02:58 PM

OK, here's what key generation tools Slackware has.

Code:

/usr/bin/ssh-keygen
/usr/sbin/dnssec-keygen
/usr/sbin/ikeygen
/usr/sbin/ntp-keygen
/usr/sbin/tsig-keygen

Your problem is: Encryption using gpg uses a private/public key pair. You encrypt with the private key, and anyone with your public key can decrypt. So you can selectively share your public key only with folks getting your encrypted messages.

Your program error is telling you that the private key can't be found. So you can't encrypt anything. You may have a key generator for your mailer. Check around the directories in the $PATH.

If you want to leartn about stuff, do LFS. You'll get through with persistence, and you'll know stuff at the end. If it looks like too much work, forget learning. Not everything comes quickly. And the dictionary is the only place where "Success" comes before "Work"

Michael Uplawski · 03-09-2024, 12:02 AM

Quote:

Originally Posted by gentisle

I'm trying to update an expired key for email.

How can you have a GnuPG key for email, if you have no private key?
If it is not *your* key, then you cannot update it. End-Of-Story.

gentisle · 03-11-2024, 10:23 PM

Thanks Michael Uplawski,
It's my ignorance of the program not backing up properly.